Reflecting on the 2022 cybersecurity landscape

2022 became the year of password hygiene, as experts around the world highlighted the very simple, but very important step of improving passwords to help protect your systems. Poor passwords are responsible for millions of breaches every year, and making simple improvements could have a very significant impact. Overall, there were more than 1,000 major data breach incidents in 2022, compromising more than 550 million records globally. These astronomical figures are likely much higher, as despite international legislation, many breaches are not disclosed, and / or the extent of the attack and breach is simply not known.

Human error still the leading challenge

According to the 2022 Data Breach Investigations Report from Verizon, 82% of breaches still involve an human element, be that error or misuse. Setting poor passwords, falling for scams, clicking links, sharing misinformation, and deliberately compromising data, all contribute to the reality of cyber insecurity. Training is one of the easiest ways to help reduce the risk from human error, while quality policies and procedures, such as user rights and good quality passwords also play a role.

Ransomware and malware continues to grow

Ransomware and malware ran rampant throughout 2022, fuelled extensively by the growth in Ransomware as a Service (RaaS) providers, who connect hacking amateurs with ransomware tools. It remained one of the leading causes of security breaches in 2022, as, combined with human error, it provided the distribution system that enabled many of these attacks. Training, robust user policies, and security settings all help to reduce the likelihood and impact of these types of attack.

2022 also saw a growth in more sophisticated hacks and targeting, with hackers focussing on lateral extension (supply chain attacks), seeking to compromise providers of systems such as cloud computing, and using that to onward compromise their clients. Spoofing attacks (where hackers closely mimic a legitimate business), clickjacking (where hackers exploit website vulnerabilities to insert additional content such as malware) and session riding (where hackers fraudulently ask you for your login details and then use the credentials for onward hacking), all reached new heights, dominating the cyber landscape.

IoT makes things harder to control

The continued boom in internet connected devices (dubbed the Internet of Things – IoT) adds an additional control challenge. The more and more devices that can connect to the internet or your network, the more potential there is for a breach through poor security settings, particularly when many devices don’t meet even the most basic of security levels. Businesses need to prioritise robust policies that outline how and when devices can connect to the network, as well as identifying best practice for home networks as employees continue to connect from home.

Reflecting back, month by month…

January 2022: January kicked off the year with 66 million breached records, in what many hoped would not set the precedent for the year to come. In reality, there were four months in 2022 with higher breach totals, making January middle of the road. Educational and medical establishments were the primary targets, with schools, colleges and hospitals topping the list of breaches. Russian state attacks were also starting to accelerate ahead of what we now know to be the Ukraine conflict launch in February, with an attack on Gloucester City Council linked to Russian criminals.
February 2022: as news broke of the Russian invasion of Ukraine, February actually saw a ‘low’ number of breaches, if you can call 5 million records small. It would in fact turn out to be the ‘best’ month for cybersecurity in 2022, despite attacks on SEPA (Scottish Environmental Protection Agency), the NHS, Vodafone Portugal, and NFL team the San Francisco 49ers among others.
March 2022:as the world continued to watch the Ukraine war unfold, retaliation attacks began on Russian sites. Hacktivists targeted Russian government sites in particular, although news media sites were also targets. March was the fourth highest month for breached records with over 75 million, including the data of New York students, holidaymakers that had booked with a UK ferry company, and children from the Isle of White whose data was breached via email in a computer system error.
April 2022: April closed as the third lowest month for breaches incidents, with 14 million records released in breach incidents. It was also the month when the National Cyber Security Centre released its annual cyber breach survey results, highlighting that 39% of businesses have identified a breach, costing on average £4,200 for an SME and £19,400 for a larger business. April also saw retailers thrust into the spotlight, as The Works was forced to close some of its outlets due to a hack, and Funky Pigeon was forced to suspend ordering too. The Government also came under scrutiny, as data from the Foreign Office was published on Russian sites, the Home Office was forced to apologise after CC’ing more than 170 email addresses publicly, and the British Army had to take its recruitment portal offline.
May 2022: May saw just shy of 50 million records breached, with UK-related reports largely coming back to incidents of human error, most notably at the University of Essex, Cornwall Council, and Central Bedfordshire Council. Verizon released its annual assessment of data breaches, identifying that 82% of incidents came back to human error, and 62% of system intrusions came as a result of supply chain compromise. May also saw what would become the first of many warnings about apps and social media trends that exist purely to harvest personal data, as NewProfilePic.com was traced back to a company in Russia with suspect. Interestingly, May also saw the five year anniversary of the Wannacry ransomware attack on the NHS, which was observed with the release of an impact report, highlighting that affected hospitals saw 3,800 fewer patients and 13,500 appointments were cancelled.
June 2022: June saw just shy of 35 million records breached, and was a month impacting online retail and IT systems. Clarion, the UK’s biggest social housing provider, confirmed that it had been hacked, taking its IT systems offline in an incident that would persist for the remainder of 2022. Yodel was also attacked, as was Apetito, the parent brand of Wiltshire Farm Foods, which saw its systems taken offline. Microsoft released a major security patch for the Follina zero-day vulnerability, which let threat actors exploit its diagnostic tool, while a report from Hiscox highlighted that business size no longer matters to the likelihood of receiving a cyber attack, with SMEs experiencing the same number of incidents as much larger businesses.
July 2022: July was the worst month of the year for breached records, with over 100 million breached. In the main this was the result of a number of extremely large incidents rather than an increase in overall incident frequency. Virtual pet website Neopets (like a Tamagotchi) experienced a hack that stole the website source code in addition to the details of 69million users, while Mangatoon, a website for reading comics, saw a breach that resulted in the loss of 23 million personal records. What’s more, a phishing page designed to look like the Facebook login page, managed to harvest 1 million records. Two major reports also shaped July, with IBM releasing its cost of a data breach report, highlighting that cyber attacks drive costs higher, with 60% of affected businesses ultimately raising their prices to recoup costs. It also identified that paying the ransom doesn’t pay, with a lot of cases paying out more in ransom than it saves them in costs. Meanwhile, a report from Tessian found that 1 in 3 employees don’t appreciate the importance of cybersecurity, with 20% saying that they don’t care about it at work at all.
August 2022: August came in a close second to July with 97 million records breached, again through a number of large incidents. Interestingly, employee led breaches also peaked during August, not least with the accusation that former President of the United States Donald Trump misappropriated secure data for personal gain. Password security platform LastPass suffered a breach but remained confident that client data was not compromised, meanwhile the NHS grappled with increasing piles of paperwork after an attack on their main IT provider. Gloucester City Council was finally able to reinstated voters back on the register after suffering a breach eight months earlier, and sensitive employee data was publicly released after a hack on South Staffordshire Water. Google (Android) and Apple both released significant security updates for their phone platforms, meanwhile the Microsoft Cyber Signals report highlighted the growing trend in RaaS attacks, and secondary attacks on those already breached.
September 2022: September saw a return to average with ‘just’ 35.5 million records breached, with the biggest incident being a hack on Optus, an Australian telecoms giant, which saw 10 million records breached – approximately 40% of the Australian population. VMWare released its Global Incident Threat Response report, which highlighted that 25% of incidents now involve ‘lateral movement’ i.e. a supply chain attack used to access your systems. In addition, a Microsoft Teams flaw and WeTransfer scams highlighted the importance of staff training.
October 2022: October was the second highest month for incidents, but actually only saw 9.9million records breached. It was also cybersecurity awareness month with hundreds of resources and articles shared, designed to improve your cybersecurity understanding. It also saw us launch our monthly cyber snapshot email to clients, supporting you to be aware of the most important issues and training opportunities. Most notably, Meta released a report in October, highlighting a rise in the number of ‘dud’ apps (over 400) that don’t work very well, but actually exist to harvest your login data. A Canadian report on SME vulnerabilities highlighted that 8 in 10 SME businesses are at risk from an attack because they are not proactively securing mitigations.
November 2022: November closed with 32 million records breached, predominantly from two main incidents – one at Twitter and one at Russian scooter-sharing company Whoosh. An alleged breach of WhatsApp of more than 500 million records, couldn’t be verified and therefore was not included in the total. Following hot on the heels of cybersecurity awareness month, a plethora of reports were published, many focusing on poor password hygiene. NordPass highlighted that the most common password is still ‘password’, while LastPass identified that 62% of people commonly reuse passwords, despite ‘high confidence’ that they are good at password management. The Microsoft Digital Defence Report highlights 921 password attacks happen every year, while a report from NordVPN found that consumers are happy to hand over personally identifiable data in exchange for a Christmas bargain. Finally, November also saw the National Cyber Security Centre (NCSC) release its Annual Report.
December 2022: December closed middle-of-the-road with 31.5 million records breached. Google Chrome released a major update to patch a zero day vulnerability flaw. The 2022 Cybersecurity Census Report highlighted that 50% of IT professionals have known about an attack but have not reported it, and that 32% of employers let their employees set their own passwords despite the risks. A french hospital in Versailles was forced to postpone operations after a cyber attack.

Reflecting on the 2022 cybersecurity landscape

Human error still the leading challenge

Ransomware and malware continues to grow

IoT makes things harder to control

Reflecting back, month by month…

We’re here to help